Internet traffic hijacking on the rise
- Published
Intentional redirection of internet traffic is on the rise, spurring calls for route announcements to be signed and secured and for violations of trust to be exposed through greater transparency between network operators.
Internet performance metrics vendor Renesys said that this year around 1,500 Internet Protocol (IP) address blocks have been hijacked on more than 60 days, including several incidents in Australia.
The attacks targetted financial institutions, voice over IP providers and governments, Renesys said.
Attackers take advantage of traffic routing announcements between networks using Border Gateway Protocol (BGP) being trust-based.
An attacker can abuse this by hijacking BGP routes of other providers, and inserting their own routers in the network path. Such a man in the middle attack would allow miscreants to intercept and capture data that originally was not destined to go through their networks.
It is easy to work out which network operator conducted the route hijacking, Renesys said, pointing to analysis of recent traffic redirection attacks done by Icelandic and Belarus providers.
Attackers rely on the misdirection going unnoticed, and Renesys explained that providers, banks, credit card processors and government agencies should monitor how their advertised IP address prefixes are being routed globally.
Work towards digitally signing and securing BGP routes is also underway. Guidelines published by the Communications Security Reliability and Interoperability Council (CSRIC) under the United States Federal Communications Commission (FCC) propose several measures for secure BGP deployment.
These include better information being published on which provider is authorised to route certain traffic at any given time and location, as well as setting up a cryptographic identity management system for this - the Resource Public Key Infrastructure (RPKI) - as part of a cautious, staged deployment of improved security for BGP.
However, Renesys warns that the internet may never see secured and signed BBGP routes, and suggests greater transparency between operators on the issue is the way to go to expose targetted traffic misdirection.
Routing mishaps have happened in the past, mostly by accident. In 1997, the operators of the Autonymous System 7007 caused widespread disruption to the internet by accidentally leaking most of its entire routing table and creating to a traffic black hole.
One of the better known cases of recent internet redirection involved the Pakistani government, which ordered YouTube to be blocked because of a video it considered offensive.
Incumbent telco Pakistan Telecom set up a route for YouTube traffic to its routers' discard interface, meaning data sent to it would simply be dropped and not forwarded.
After its upstream provider PCCW in Hong Kong sent the new routes and other operators picked them up, requests for YouTube traffic went via Pakistan, with nothing being served up to users from there.
PCCW resolved the issue by turning off peering with Pakistan Telecom, but the YouTube outage lasted some two hours.